In a recent discussion, Greg Garcia, the executive director of cybersecurity for the Health Sector Coordinating Council (HSCC), emphasized the urgent need for improved responses to disruptive cyber events within the healthcare sector. His comments reflect growing concerns about the industry’s vulnerabilities, particularly during incidents that could have widespread consequences. Garcia articulated these points during an interview with Information Security Media Group held at the Healthcare Information Management and Systems Society (HIMSS) 2026 conference in Las Vegas.
In a bid to bolster the sector’s defensive measures and enhance collaborative responses, the HSCC, along with the Health Information Sharing and Analysis Center (Health-ISAC), has announced a significant initiative: a two-day national cybersecurity tabletop exercise scheduled for July. This exercise aims to rigorously assess how healthcare enterprises, as well as cross-sector entities, respond to cyber incidents, scrutinizing critical functions and patient safety protocols in the process.
Garcia stressed that participation in these exercises is crucial for all regulated entities within the healthcare landscape, including insurers, pharmaceutical manufacturers, medical device providers, and healthcare practitioners. He noted that contributions are welcome from organizations regardless of their association with the HSCC’s cybersecurity working group or the Health-ISAC.
Additionally, Garcia revealed that government representatives would also be invited to the exercise, highlighting the initiative’s collaborative nature. The call for diverse participation was a central theme of Garcia’s message. He encouraged individuals from various roles—ranging from compliance officers and legal counsel to operational staff and even C-suite executives—to engage in the exercise. “We want to have different disciplines working together on this,” he emphasized, underscoring the importance of a multi-faceted approach to incident response.
Previously, the HSCC has conducted smaller-scale cybersecurity exercises. However, Garcia conveyed that the upcoming national tabletop exercise would be larger in both scale and scope, providing a more comprehensive evaluation of internal response mechanisms alongside inter-organizational coordination. “We’ll be testing not just internal capabilities and response mechanisms but how we coordinate across boundaries,” he articulated, indicating a paradigm shift in how the sector prepares for cyber threats.
The two half-days of virtual tabletop exercises are set to occur on July 21-22, with participants expected to engage in a range of scenarios that may reflect potential industry-wide cyber threats. Garcia hinted at the kind of scenarios that might be utilized during the exercise, emphasizing that the insights gained could greatly enhance incident response strategies within participants’ own organizations.
Moreover, he underscored the paramount importance of increased cyber incident preparedness, asserting that the healthcare and public health sectors must elevate their readiness levels in response to evolving cyber threats. This preparation is not just a matter of safeguarding individual organizations but is essential to protect broader public health interests.
Garcia’s extensive background lends credence to his insights; prior to his role at HSCC, he was the inaugural Assistant Secretary for Cybersecurity and Communications at the Department of Homeland Security during President George W. Bush’s administration. His career also includes serving as executive director of the Financial Services Sector Coordinating Council and holding senior positions at Bank of America, 3Com Corp, and other notable organizations.
In summary, the healthcare sector is at a critical juncture, facing an array of cybersecurity threats that could jeopardize patient safety and the integrity of health services. Garcia’s call to action serves as a reminder of the importance of proactive collaboration and comprehensive preparedness within the industry. As the national cybersecurity tabletop exercise approaches, the emphasis remains on fostering a unified response framework, ensuring that healthcare entities are not only prepared to defend against cyber threats but are also equipped to respond effectively when incidents occur.